CVE-2026-31773
Published: 01 May 2026
Summary
CVE-2026-31773 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and patching of kernel flaws like CVE-2026-31773 to remediate the incorrect STK authentication labeling.
Requires proper management of cryptographic keys such as the STK, ensuring metadata accurately reflects the actual MITM authentication state achieved during Bluetooth SMP pairing.
Establishes controls for wireless access including Bluetooth, enforcing usage restrictions and protections against misuse of improperly authenticated pairing keys.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel Bluetooth SMP logic flaw allows adjacent-network exploitation of remote pairing service (T1210) and enables successful Adversary-in-the-Middle attacks via mislabeled authenticated STK in legacy Just Works flows (T1557).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what…
more
the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated.
Deeper analysisAI
CVE-2026-31773 affects the Linux kernel's Bluetooth Security Manager Protocol (SMP), specifically the legacy responder path in the smp_random() function. The vulnerability causes the stored Short Term Key (STK) to be incorrectly labeled as authenticated whenever the pending_sec_level is BT_SECURITY_HIGH, reflecting the local service's request rather than the actual pairing outcome. In Just Works or Confirm legacy pairing flows, where SMP_FLAG_MITM_AUTH remains clear, the resulting STK should remain unauthenticated, but the flaw fails to enforce this, misaligning key metadata with the pairing result.
An attacker in an adjacent network (AV:A) can exploit this issue with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U), as scored at 8.8 by CVSS v3.1. This enables potential misuse of improperly authenticated Bluetooth keys during legacy pairing.
Mitigation is available via patches in Linux kernel stable branches, including commits such as 061ee71ac6b03c9f8432fe49538c3682bfcf4cf3, 0afc846bd80073ffcd2b8040f2b2fafaea3d9f72, 20756fec2f0108cb88e815941f1ffff88dc286fe, 667f44f1392df6482483756458c48670e579e9ff, and 929db734d12db41ca5f95424db4612397f1bd4a7. These updates derive the legacy responder STK authentication from the actual MITM state and align the legacy path with Secure Connections handling, which treats Just Works/Just Confirm pairings as unauthenticated.
Details
- CWE(s)